From 565c2edb0ace48a0e8b1bd62199bf0740554cc63 Mon Sep 17 00:00:00 2001 From: Niklas Riekenbrauck Date: Fri, 1 Apr 2016 19:04:28 +0200 Subject: [PATCH] Fix issues with JWT login --- synapse/config/jwt.py | 2 ++ synapse/rest/client/v1/login.py | 9 ++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/synapse/config/jwt.py b/synapse/config/jwt.py index 4cb092bbe..5c8199612 100644 --- a/synapse/config/jwt.py +++ b/synapse/config/jwt.py @@ -30,6 +30,8 @@ class JWTConfig(Config): def default_config(self, **kwargs): return """\ + # The JWT needs to contain a globally unique "sub" (subject) claim. + # # jwt_config: # enabled: true # secret: "a secret" diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py index d14ce3efa..166a78026 100644 --- a/synapse/rest/client/v1/login.py +++ b/synapse/rest/client/v1/login.py @@ -224,16 +224,19 @@ class LoginRestServlet(ClientV1RestServlet): @defer.inlineCallbacks def do_jwt_login(self, login_submission): - token = login_submission['token'] + token = login_submission.get("token", None) if token is None: - raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) + raise LoginError(401, "Token field for JWT is missing", + errcode=Codes.UNAUTHORIZED) try: payload = jwt.decode(token, self.jwt_secret, algorithms=[self.jwt_algorithm]) + except jwt.ExpiredSignatureError: + raise LoginError(401, "JWT expired", errcode=Codes.UNAUTHORIZED) except InvalidTokenError: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) - user = payload['user'] + user = payload.get("sub", None) if user is None: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED)